Plataforma
wordpress
Componente
file-manager-pro
Corrigido em
8.3.8
CVE-2024-7559 is an arbitrary file access vulnerability affecting the File Manager Pro plugin for WordPress. This vulnerability allows authenticated attackers, even those with Subscriber-level access, to upload arbitrary files to the server, potentially enabling remote code execution. The vulnerability exists in versions up to and including 8.3.7, and a patch is available to address the issue.
An attacker exploiting CVE-2024-7559 can upload malicious files, such as web shells, to the WordPress server. Successful upload and execution of such a file could grant the attacker complete control over the affected website, including the ability to modify content, steal sensitive data (user credentials, database information), and potentially pivot to other systems on the network. The impact is amplified if the WordPress site hosts sensitive data or is part of a larger infrastructure. The requirement for authenticated access, while limiting the scope, still poses a significant risk, as Subscriber-level users are often present on WordPress sites.
CVE-2024-7559 was publicly disclosed on August 23, 2024. There are currently no known public exploits or active campaigns targeting this vulnerability, but the ease of exploitation and the wide usage of WordPress plugins make it a potential target. The vulnerability is not currently listed on the CISA KEV catalog. The lack of immediate exploitation does not diminish the risk, as attackers often take time to develop and deploy exploits.
WordPress websites utilizing the File Manager Pro plugin, particularly those with Subscriber-level users who have file upload privileges, are at risk. Shared hosting environments where WordPress installations are managed by the hosting provider are also at increased risk, as they may lack the ability to quickly apply security patches.
• wordpress / composer / npm:
grep -r "mk_file_folder_manager" /var/www/html/wp-content/plugins/file-manager-pro/• wordpress / composer / npm:
wp plugin list | grep "File Manager Pro"• wordpress / composer / npm:
wp plugin update file-manager-pro• generic web: Check WordPress plugin directory for updated versions of File Manager Pro.
disclosure
Status do Exploit
EPSS
12.80% (percentil 94%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-7559 is to immediately upgrade the File Manager Pro plugin to a version higher than 8.3.7. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting file upload permissions for Subscriber-level users within WordPress. Implement a Web Application Firewall (WAF) rule to block requests to the mkfilefolder_manager AJAX action with suspicious file extensions (e.g., .php, .exe, .asp). Regularly scan the WordPress installation for unauthorized files and monitor server logs for unusual file upload activity.
Actualice el plugin File Manager Pro a la última versión disponible. La vulnerabilidad permite la subida de archivos arbitrarios, lo que podría llevar a la ejecución remota de código. La actualización corrige la falta de validación de tipos de archivo y comprobaciones de capacidad.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-7559 is a vulnerability in the File Manager Pro WordPress plugin allowing authenticated users to upload arbitrary files, potentially leading to remote code execution. It affects versions up to 8.3.7 and has a CVSS score of 8.8 (HIGH).
You are affected if you are using the File Manager Pro plugin in WordPress and have a version equal to or less than 8.3.7. Check your plugin version and upgrade immediately if necessary.
The recommended fix is to upgrade the File Manager Pro plugin to a version higher than 8.3.7. If immediate upgrade is not possible, consider temporary workarounds like restricting file upload permissions.
As of August 23, 2024, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the File Manager Pro plugin website and WordPress plugin directory for the latest advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.